PayPal Express Checkout for nopCommerce 3.0 & 3.10

6 years ago
a.m. wrote:
We've just upgraded this plugin to version 3.10. Please download it here if you're interested


Andrew, please.
Nobody keeps secure information in clean text. It's the same as keep user password not encrypted.
Could you please change couple lines of code, just encrypt at least API Signature and API password (PaymentPayPalExpressCheckoutController -> Configure()).

Not for me, I'll change it anyway.
But just for people who are not developers.

Thank you!
6 years ago
kaunuk wrote:
Andrew, please.
Nobody keeps secure information in clean text. It's the same as keep user password not encrypted.
Could you please change couple lines of code, just encrypt at least API Signature and API password.

Not for me, I'll change it anyway.
But just for people who are not developers.

What do you mean? What exactly should be encrypted? And where?

P.S. I'm not the author of this plugin. The author of this forum topic is. We've just upgraded it to version 3.10 from 3.00
6 years ago
a.m. wrote:


What do you mean? What exactly should be encrypted? And where?

P.S. I'm not the author of this plugin. The author of this forum topic is. We've just upgraded it to version 3.10 from 3.00


Configure methods  for beginning.

here is decryption
var model = new ConfigurationModel
{
ApiSignature = _payPalExpressCheckoutPaymentSettings.ApiSignature
Password = _payPalExpressCheckoutPaymentSettings.Password,
Username = _payPalExpressCheckoutPaymentSettings.Username,
}


here is encryption
if (IsLogoImageValid(model.LogoImageURL, out validationErrors))
{
_payPalExpressCheckoutPaymentSettings.ApiSignature = model.ApiSignature;
_payPalExpressCheckoutPaymentSettings.Password = model.Password;
_payPalExpressCheckoutPaymentSettings.Username = model.Username;
}

Then need to decrypt in
GetRequesterCredentials()
method.

I checked database afterwards, username, password and API in clean text in database.
Which is totally unsecure. Change it - just 3 minutes. But will be very helpful.

I wanted to use this plugin, but because security issue, I started to write own plugin.
6 years ago
public string GetVersion()
{
    return "98.0";
}


current version is "106.0"

latest version possible to take from wdsl description. tomorrow at work will poste code sample for getting latest version.
6 years ago
Here is a bit let reliable way to get latest version
        
private string GetAPIVersion()
{
    XmlTextReader reader = new XmlTextReader("https://www.paypalobjects.com/wsdl/PayPalSvc.wsdl");
    ServiceDescription wsdl = ServiceDescription.Read(reader);
    return (wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Count() > 0) ? wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Select(a => a.Value).FirstOrDefault() : "106.0";
}
6 years ago
kaunuk wrote:
Here is a bit let reliable way to get latest version
        
private string GetAPIVersion()
{
    XmlTextReader reader = new XmlTextReader("https://www.paypalobjects.com/wsdl/PayPalSvc.wsdl");
    ServiceDescription wsdl = ServiceDescription.Read(reader);
    return (wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Count() > 0) ? wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Select(a => a.Value).FirstOrDefault() : "106.0";
}


I wouldn't do this. We coded against a specific version, getting the latest one from wsdl might mean the gateway didn't work if there are breaking changes.

Also, feel free to encrypt and decrypt the user/pass/api key, but you should be using SSL in admin. If your database is stolen then you can change the PayPal settings in paypal.com. This is not user data and other plugins work the same.
6 years ago
thought wrote:
I wouldn't do this. We coded against a specific version, getting the latest one from wsdl might mean the gateway didn't work if there are breaking changes.

Also, feel free to encrypt and decrypt the user/pass/api key, but you should be using SSL in admin. If your database is stolen then you can change the PayPal settings in paypal.com. This is not user data and other plugins work the same.


Hm. Didn't think about version. Ok, will follow your advice.
About SSL, definitely admin area will use SSL, but data encrypted looks much more safe and give a peace of mind, as an extra protection. As well i don't know what can be if wrong person will get credentials.

After all, it's just a good practice to encrypt data that have to be secured.
6 years ago
Big issue with currency conversions, the site converts say 50 pounds to 75 dollars, the pugin charges 75 pounds, same for euros.
6 years ago
How to install it? There 2 folder. One in plugin. There other one i dont know where to put. Help please. It look great but i cannot get it function
6 years ago
We're sorry, an internal error occurred.

Our supporting staff has been notified of this error and will address the issue shortly.

We apologize for the inconvenience.

Please try clicking your browsers 'back' button or try reloading the home page.

If you continue to receive this message, please try again in a little while.

Thank you for your patience.